Very small updates to the tunnels framework.

- Make the uid field optional since it's conceptually incorrect for proxies being treated as tunnels to have it. - Reordered two fields in the log. - Reduced the default tunnel expiration interface to something more reasonable (1 hour).
2025-10-13 03:58:20 +00:00 · 2012-06-20 13:56:42 -04:00 · 2012-06-20 13:56:42 -04:00 · c30c0d5ff2
commit c30c0d5ff2
parent 83f385b2b0
2 changed files with 11 additions and 7 deletions
--- a/scripts/base/frameworks/tunnels/main.bro
+++ b/scripts/base/frameworks/tunnels/main.bro
@ -28,17 +28,20 @@ export {
 		ts:          time         &log;
 		## The unique identifier for the tunnel, which may correspond
 		## to a :bro:type:`connection`'s *uid* field for non-IP-in-IP tunnels.
-		uid:         string       &log;
+		## This is optional because there could be numerous connections
+		## for payload proxies like SOCKS but we should treat it as a single
+		## tunnel.
+		uid:         string       &log &optional;
 		## The tunnel "connection" 4-tuple of endpoint addresses/ports.
 		## For an IP tunnel, the ports will be 0.
 		id:          conn_id      &log;
-		## The type of activity that occurred.
-		action:      Action       &log;
 		## The type of tunnel.
 		tunnel_type: Tunnel::Type &log;
+		## The type of activity that occurred.
+		action:      Action       &log;
 	};

-	## Logs all tunnels in an ecapsulation chain with action
+	## Logs all tunnels in an encapsulation chain with action
 	## :bro:see:`Tunnel::DISCOVER` that aren't already in the
 	## :bro:id:`Tunnel::active` table and adds them if not.
 	global register_all: function(ecv: EncapsulatingConnVector);
@ -71,7 +74,7 @@ export {

 	## The amount of time a tunnel is not used in establishment of new
 	## connections before it is considered inactive/expired.
-	const expiration_interval = 24hrs &redef;
+	const expiration_interval = 1hrs &redef;

 	## Currently active tunnels.  That is, tunnels for which new, encapsulated
 	## connections have been seen in the interval indicated by
@ -104,7 +107,8 @@ function register(ec: EncapsulatingConn)
 		{
 		local tunnel: Info;
 		tunnel$ts = network_time();
-		tunnel$uid = ec$uid;
+		if ( ec?$uid )
+			tunnel$uid = ec$uid;
 		tunnel$id = ec$cid;
 		tunnel$action = DISCOVER;
 		tunnel$tunnel_type = ec$tunnel_type;
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -191,7 +191,7 @@ export {
 		tunnel_type: Tunnel::Type;
 		## A globally unique identifier that, for non-IP-in-IP tunnels,
 		## cross-references the *uid* field of :bro:type:`connection`.
-		uid: string;
+		uid: string &optional;
 	} &log;
 } # end export
 module GLOBAL;